Purpose

The purpose of this alert is to bring attention to the active exploitation of database services through default installation configurations.

Assessment

CCIRC is aware of malicious attackers leveraging knowledge of default installation configurations for database services. Open source news articles have indicated that these actors have been observed scanning for and accessing MongoDB installations with default configurations, exporting the data to their host, wiping the contents from the database, then holding the data for ransom.

With default installation configurations, several database software packages are easily susceptible to this type of exploitation and attack as they either do not require any authentication (ex. MongoDB), or they employ publicly available default credentials.

Suggested action

CCIRC strongly discourages the paying of any ransom. Paying a ransom does not guarantee you will get your data back and it encourages further criminal activity.

CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.